fatalrat | d526fabab53957d2f0d399d1f0181f2426635aeacdca76bd6ff4f70ff11858c9

Analysis

max time kernel
1s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2023 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d526fabab53957d2f0d399d1f0181f2426635aeacdca76bd6ff4f70ff11858c9.exe
Size

2.8MB
MD5

541223c59d0b222184dbfa85f72d4324
SHA1

15f20b79dcbbcec73e8877cae40b8e060063cfcf
SHA256

d526fabab53957d2f0d399d1f0181f2426635aeacdca76bd6ff4f70ff11858c9
SHA512

619bd8af46bbc9ee137de4a2d9b574aafb3e96d129d8f7627e68ff35730a150e0d75182a87557eb24a39e12baf9468903b4f51184b85616f2e7788aa85042e49
SSDEEP

49152:FIReUCpSq8TBMxcD1Z9sCykCRKjadHik88wzNSQ1RHKevdIXYwp426/VcYpD/UV3:rzpShT8o1Z9ssCRKjadHik88h+HTvdIN

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/2036-30-0x0000000001070000-0x000000000109A000-memory.dmp	fatalrat
behavioral2/memory/4044-52-0x0000000001D30000-0x0000000001D5A000-memory.dmp	fatalrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\Control Panel\International\Geo\Nation	d526fabab53957d2f0d399d1f0181f2426635aeacdca76bd6ff4f70ff11858c9.exe

Executes dropped EXE 1 IoCs

pid	Process
2036	QQMicroGameBox.exe

Loads dropped DLL 1 IoCs

pid	Process
2036	QQMicroGameBox.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Application Verifier\QQMicroGameBox.exe	QQMicroGameBox.exe
File created	C:\Program Files (x86)\Application Verifier\cvsd.xml	d526fabab53957d2f0d399d1f0181f2426635aeacdca76bd6ff4f70ff11858c9.exe
File created	C:\Program Files (x86)\Application Verifier\afd.bin	d526fabab53957d2f0d399d1f0181f2426635aeacdca76bd6ff4f70ff11858c9.exe
File created	C:\Program Files (x86)\Application Verifier\fufu.bin	d526fabab53957d2f0d399d1f0181f2426635aeacdca76bd6ff4f70ff11858c9.exe
File created	C:\Program Files (x86)\Application Verifier\QQMicroGameBox.exe	d526fabab53957d2f0d399d1f0181f2426635aeacdca76bd6ff4f70ff11858c9.exe
File created	C:\Program Files (x86)\Application Verifier\sentry.dll	d526fabab53957d2f0d399d1f0181f2426635aeacdca76bd6ff4f70ff11858c9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3228	d526fabab53957d2f0d399d1f0181f2426635aeacdca76bd6ff4f70ff11858c9.exe
3228	d526fabab53957d2f0d399d1f0181f2426635aeacdca76bd6ff4f70ff11858c9.exe
3228	d526fabab53957d2f0d399d1f0181f2426635aeacdca76bd6ff4f70ff11858c9.exe
3228	d526fabab53957d2f0d399d1f0181f2426635aeacdca76bd6ff4f70ff11858c9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	QQMicroGameBox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3228	d526fabab53957d2f0d399d1f0181f2426635aeacdca76bd6ff4f70ff11858c9.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 2036	3228	d526fabab53957d2f0d399d1f0181f2426635aeacdca76bd6ff4f70ff11858c9.exe	72
PID 3228 wrote to memory of 2036	3228	d526fabab53957d2f0d399d1f0181f2426635aeacdca76bd6ff4f70ff11858c9.exe	72
PID 3228 wrote to memory of 2036	3228	d526fabab53957d2f0d399d1f0181f2426635aeacdca76bd6ff4f70ff11858c9.exe	72

C:\Users\Admin\AppData\Local\Temp\d526fabab53957d2f0d399d1f0181f2426635aeacdca76bd6ff4f70ff11858c9.exe
"C:\Users\Admin\AppData\Local\Temp\d526fabab53957d2f0d399d1f0181f2426635aeacdca76bd6ff4f70ff11858c9.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Program Files (x86)\Application Verifier\QQMicroGameBox.exe
  "C:\Program Files (x86)\Application Verifier\QQMicroGameBox.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- - C:\Users\Admin\AppData\Local\QQMicroGameBox.exe
    "C:\Users\Admin\AppData\Local\QQMicroGameBox.exe"
    3⤵
    PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Application Verifier\QQMicroGameBox.exe

Filesize
1.9MB

MD5
7f8f210a6f11a1e556b8dd7bb26e2e7d

SHA1
49a1e7d58e43cc5e177de7857b8fa9c8a6f6d1c1

SHA256
c7109e87b0d20b842816f055a8714f0eebccfa99a031e6b7a472397736329af7

SHA512
1c414aa37879bed96a82a1d14658e58da6d085cd0a6d523a65780c9dc585d78afa99eefc64dc5d9961702dc5fdd8b647f9475eed25ef67287de01f82962921a7

Download Submit
C:\Program Files (x86)\Application Verifier\QQMicroGameBox.exe

Filesize
1.9MB

MD5
7f8f210a6f11a1e556b8dd7bb26e2e7d

SHA1
49a1e7d58e43cc5e177de7857b8fa9c8a6f6d1c1

SHA256
c7109e87b0d20b842816f055a8714f0eebccfa99a031e6b7a472397736329af7

SHA512
1c414aa37879bed96a82a1d14658e58da6d085cd0a6d523a65780c9dc585d78afa99eefc64dc5d9961702dc5fdd8b647f9475eed25ef67287de01f82962921a7

Download Submit
C:\Program Files (x86)\Application Verifier\QQMicroGameBox.exe

Filesize
1.9MB

MD5
7f8f210a6f11a1e556b8dd7bb26e2e7d

SHA1
49a1e7d58e43cc5e177de7857b8fa9c8a6f6d1c1

SHA256
c7109e87b0d20b842816f055a8714f0eebccfa99a031e6b7a472397736329af7

SHA512
1c414aa37879bed96a82a1d14658e58da6d085cd0a6d523a65780c9dc585d78afa99eefc64dc5d9961702dc5fdd8b647f9475eed25ef67287de01f82962921a7

Download Submit
C:\Program Files (x86)\Application Verifier\afd.bin

Filesize
198KB

MD5
f366dac933970f44d93c67875ec656e3

SHA1
e0b39137e1afce9bb3ea4be421091f7f62d045a5

SHA256
2670ae7ac41715c1114c91ca89682a1b9c522727397f182b8bd162d4a89cf534

SHA512
9ea1ee338d9ff4e480e1936ab11c425db38ce97dd7f89675164e9ceac5db8f0fac660c590db47050377056540f9346de9d388429fa71b3f0dc7f088e6cb91697

Download Submit
C:\Program Files (x86)\Application Verifier\sentry.dll

Filesize
49KB

MD5
ba2e2fd07d935adc95090696cf9a636f

SHA1
cc6077e50b86ff845fc4a637573f86c452c5f69f

SHA256
961e3272a08a7652d4197be2a0fb1b6aa75524f5ccadd1942267cfc743be95fc

SHA512
f9bdbb070f1105e530a3f0c9085180f61c34ab4750e4f3be9cc4da23c4040c1fa5d5d9e26cfa526e7b7de8ea41b0e1a3216e69a298246dbf6f5ada00510ca0c7

Download Submit
C:\Program Files (x86)\Application Verifier\sentry.dll

Filesize
49KB

MD5
ba2e2fd07d935adc95090696cf9a636f

SHA1
cc6077e50b86ff845fc4a637573f86c452c5f69f

SHA256
961e3272a08a7652d4197be2a0fb1b6aa75524f5ccadd1942267cfc743be95fc

SHA512
f9bdbb070f1105e530a3f0c9085180f61c34ab4750e4f3be9cc4da23c4040c1fa5d5d9e26cfa526e7b7de8ea41b0e1a3216e69a298246dbf6f5ada00510ca0c7

Download Submit
C:\Program Files (x86)\Application Verifier\sentry.dll

Filesize
49KB

MD5
ba2e2fd07d935adc95090696cf9a636f

SHA1
cc6077e50b86ff845fc4a637573f86c452c5f69f

SHA256
961e3272a08a7652d4197be2a0fb1b6aa75524f5ccadd1942267cfc743be95fc

SHA512
f9bdbb070f1105e530a3f0c9085180f61c34ab4750e4f3be9cc4da23c4040c1fa5d5d9e26cfa526e7b7de8ea41b0e1a3216e69a298246dbf6f5ada00510ca0c7

Download Submit
C:\Users\Admin\AppData\Local\QQMicroGameBox.exe

Filesize
1.9MB

MD5
7f8f210a6f11a1e556b8dd7bb26e2e7d

SHA1
49a1e7d58e43cc5e177de7857b8fa9c8a6f6d1c1

SHA256
c7109e87b0d20b842816f055a8714f0eebccfa99a031e6b7a472397736329af7

SHA512
1c414aa37879bed96a82a1d14658e58da6d085cd0a6d523a65780c9dc585d78afa99eefc64dc5d9961702dc5fdd8b647f9475eed25ef67287de01f82962921a7

Download Submit
C:\Users\Admin\AppData\Local\QQMicroGameBox.exe

Filesize
1.9MB

MD5
7f8f210a6f11a1e556b8dd7bb26e2e7d

SHA1
49a1e7d58e43cc5e177de7857b8fa9c8a6f6d1c1

SHA256
c7109e87b0d20b842816f055a8714f0eebccfa99a031e6b7a472397736329af7

SHA512
1c414aa37879bed96a82a1d14658e58da6d085cd0a6d523a65780c9dc585d78afa99eefc64dc5d9961702dc5fdd8b647f9475eed25ef67287de01f82962921a7

Download Submit
memory/2036-30-0x0000000001070000-0x000000000109A000-memory.dmp

Filesize
168KB

Download
memory/2036-29-0x0000000003260000-0x00000000032C4000-memory.dmp

Filesize
400KB

Download
memory/2036-25-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/3228-7-0x0000000010000000-0x0000000010022000-memory.dmp

Filesize
136KB

Download
memory/3228-12-0x00000000027A0000-0x0000000002804000-memory.dmp

Filesize
400KB

Download
memory/4044-58-0x0000000001CC0000-0x0000000001D24000-memory.dmp

Filesize
400KB

Download
memory/4044-52-0x0000000001D30000-0x0000000001D5A000-memory.dmp

Filesize
168KB

Download